[Python-Dev] Hash collision security issue (now public)

Nick Coghlan ncoghlan at gmail.com
Fri Jan 6 02:33:50 CET 2012

On Fri, Jan 6, 2012 at 10:59 AM, Benjamin Peterson <benjamin at python.org> wrote:
> What exactly is the disadvantage of a sys attribute? That would seem
> preferable to an obscure incarnation like that.

Adding sys attributes in maintenance (or security) releases makes me nervous.

However, Victor and Christian are right about the need for a special
case to avoid leaking information, so my particular suggested check
won't work.

The most robust check would be to run sys.executable in a subprocess
and check if it gives the same hash for a non-empty string as the
current process.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list